vendor: https://github.com/xinliangnote/go-gin-api
version: 1.2.7
The Verify function of signature_verify.go implements the function of comparing the Hmac signature.
However, the function uses == to compare the calculated signature with the signature we provided, and == is not a time-safe comparison function, developers should use equal() instead.
This means that the more similar the prefix of the signature we provide to the actual calculated signature, the longer the comparison will take, which can lead to temporal side-channel attacks. An attacker can learn the correct signature and bypass verification.